個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0035/2011/IP

Title: Placing the course enrolment data of employees onto one collective application form

Reason: Referral

Brief:

    Bureau A forwarded a complaint made by a staff from Bureau B to the Office for Personal Data Protection (GPDP). The complaint indicated that all the staff of Bureau B had to fill in their personal data such as their identity card numbers and academic qualifications onto one application form to enroll in course “X”, which led to the data to be seen by applicants from another course while the form was being passed around. In addition, Bureau B saved the respective application form within a common computer folder which could be accessed by all the staff with computer accounts.

Analysis:

    The data processing of current caseis regulated by the “Personal Data Protection Act” under its Articles 4(1)(1) and 3(1).
  The application forms involved in the present case were about the collective application forms of Bureau A’s course, which required applicants to fill in information such as their names, identity card numbers, job positions/ranks, academic qualifications and telephone numbers, etc.
  Bureau B explained that the collective application forms for course “X” could be obtained through Bureau A’s internal network and the staff could download it individually. After completing the form, they needed to submit it to their supervisor for endorsement and send it back to the team of instructors via a specific e-mail account, which could only be accessed by duly authorized personnel. If a person enrolled in Bureau A’s courses for the first time, a photocopy of his identity card must also be submitted by the department to the Division of Training and Documentation within a sealed envelope.
  Afterwards, GPDP received a letter from Bureau A, stating that it had cancelled collective application forms for its courses and switched to individual application forms with the identity card number column only requiring the first 5 digits or letters (a photocopy of the identity card was still required for those enrolling for the first time) so as to better protect personal data.
  In this case, as the data being processed was not considered sensitive data under Articles 7 and 8 of the “Personal Data Protection Act” and data that was suspected of being involved in illegal activities, or in criminal or administrative offences. Bureau B should comply with the relevant security criteria specified in Article 15 of the “Personal Data Protection Act” to process such common personal data.
  After investigation, GPDP felt that Bureau B implemented all the appropriate security measures by only allowing those staff, who was responsible for the relevant work, accessed and consulted the course application details. There was no evidence that Bureau B breached Article 15 of the “Personal Data Protection Act”.

Result:

    As there was no evidence to prove Bureau B breached Article 15 of the “Personal Data Protection Act” and Bureau A had already switched to using individual application forms, the controversial issues in this case had been resolved. Therefore, GPDP decided to close this case and informed Bureau B, Bureau A and the data subject of its results.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,7,8,15 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116